Protect Your PDAs, PDQ!

Sometimes you want people to look at your stuff; sometimes you don’t.
When you’re trying to sell something, you want people to read about your
wares. If you have secrets, though, you want to keep them. But there are
also times you might allow strangers a closer look—for instance, allowing
bag inspection at the airport or financial inspection by the IRS. Even
though you may not want to expose things considered private, the law may
force your hand.

The point here is that we all make choices about what we expose and when
we expose it. When I travel now, I don’t pack anything in my carry-on
bag that, if examined in public, would embarrass me. On the other hand,
I do wear brightly colored toe socks (in case I’m asked to take off my
shoes) and wild T-shirts underneath my coat. It makes the routine searches
less of an intrusion into my privacy, and I usually get a smile out of
the otherwise serious airport security guards.

But even though my bags and I are subject to inspection, my Pocket PC
still keeps its secrets. Does yours? I’m talking about the data sitting
on your Pocket PC or Palm device. What’s keeping it private? And what’ll
happen if someone steals your Pocket PC? Where does the data go when you
lose it? Yeah, yeah, I know—it’s just a bunch of addresses and a calendar.
Harumpfh! Whose addresses? Your customers’? That’s not valuable, is it?
Whose calendar? Maybe you think your schedule would be of no consequence
if it were lost—but what about the schedules of your C-level executives?

They’re Everywhere!Jolt. Yep, something to think about. Contemplate this: Those tiny
digital notepads are used for more than personal data. They’re clients
for patient databases, information collection front-ends for warehouse
inventory, and gateways straight into your corporate networks. And they’re
stolen, lost and abandoned around the world in frightening numbers. No
one knows how many, but we do have projections on the total numbers of
devices available: IDC says that 4 million have been shipped so far, and
it estimates that 6 million will be available by 2004. What’s more, they’re
not the only devices to worry about. Some projections claim that by the
end of this year there will be millions of Internet–enabled mobile phones
sucking data into the palm of someone’s hand. Others provide estimates
of 20 million PDAs and handheld devices, and 1 billion handheld computers
and mobile telephones with wireless connectivity by 2003.

Ask most people—including vendors—about security for Pocket PC or Palm,
and you’ll probably hear about the power-on password and Virtual Private
Network (VPN) client. They don’t tell you about the maintenance backdoor.
(Palm had one once. Can we be absolutely sure that no PDA is free of them
now?) Vendors don’t remind you that a single password is lightweight protection
or that an estimated 50 percent of PDA owners never turn it on; they don’t
warn you about unauthorized IRDA or Bluetooth connections or unauthorized
PDA-to-PC synching. Their job is to sell products, not tell you what’s
lacking in them. Your job, on the other hand, is to make sure that whatever
platforms your organization chooses to allow, they’re managed with the
appropriate level of security. What’s appropriate depends on many things
and should be an official management policy.

Physical Protection
Handhelds should be physically secured. The level of security depends
on the role the handhelds play and their location.

These things are so small, yet so powerful—and so powerful a target.
The first line of defense is to protect the handheld from theft and loss.
Few options exist for that. Unlike most laptop computers, handhelds aren’t
manufactured with a security slot. Ordinary laptop locks are useless.
Two companies produce appropriate physical PDA-connected locking devices,
but they’re not available for all PDAs.

Kensington (www.kensington.com),
markets the Kensington PDA Saver, a six-foot galvanized steel cable, lock
and connector that attaches to the stylus slot on the PDA. You can still
use the PDA when it’s secured. Unfortunately, it’s only compatible with
Palm Pilot, Palm Pilot Pro, Palm III series, Palm VII series, Handspring
Visor, Handspring Visor Plus, Symbol Tech SPT 1500, IBM Workpad and IBM
Workpad Companion. Check the details; some warn that it’s not effective
with some models of Palm Pilot. It’s not available at the Kensington Web
site anymore, but you can find it at www.pdamart.com/kenpdaseclea.html.

Force (www.force.com) sells “The Bond,”
a small device that attaches to the base of a Palm III, Palm IIIX, Palm
VII, IBM WorkPad PC Companion and Symbol Technologies’ SPT-1500. Once
attached, the device provides a place to attach commonly available locks,
lanyards and other devices. The site doesn’t advertise it as a security
device, but having the ability to attach a lanyard provides some security
against loss. And being able to lock the PDA to the desk is more effective
than no lock at all.

Organizations should evaluate these devices for the protection they may
provide and their application in a specific environment. It’s important,
though, that users don’t see a lock as the end-all in handheld security.
Locking devices for laptops and PDAs are inhibitors but aren’t designed
to resist a planned attack. Cable cutters can certainly make mincemeat
out of most provided cables, and a determined thief can even destroy them
with toenail clippers.

Those locks were for Palm and related devices, but Pocket PC owners need
to lock their PDAs, too. Until someone figures out that there’s a market
here, you can use more traditional methods of protecting the device. Try
locking it in your desk drawer, suitcase or hotel safe.

Registration can also be effective. You can
obtain registration plates and stickers from several sources. Registration
services range from simple “Here’s-a-sticker” deterrents to more exotic,
expensive techniques. They include individualized offline recording of
each handheld’s unique registration number and the use of tamper-proof
plates and labels like those from the Secure Tracking of Office Property
(STOP) method offered by the company Australian Project (www.austprojects.com.au/stop.htm).
Most of the bar-coded labels provided also have toll-free numbers. If
your handheld is found by honest individuals or recovered by police, you’ll
get it back. Some registration databases will also provide you with documentation
from their databases for insurance purposes (think major catastrophe that
wipes out an office and destroys all your computer equipment). While these
tags don’t prevent a thief from snatching the device, some insurance companies
quote statistical evidence that tagged items are much less likely to be
stolen.

Finally, if you use external storage of any kind, also consider the value
of the data on this storage and physically protect it.

Access Control
All handhelds should use power-on passwords and/or devices and software
designed to prevent unauthorized access and usage.

While the power-on password isn’t adequate for all implementations, it’s
a start. One thing’s for sure: If it’s not used, it’s not doing any good.
To go beyond the basics, you can use two-factor authentication like RSA
SecurID (www.rsa.com), the Digipass Pro
from Vasco (www.vasco.com) and many
smart cards. Another option, from Authentec (www.authentec.com),
is a tiny fingerprint reader that easily fits on the handheld and doesn’t
require external devices. In addition to providing better access control,
some of these solutions also offer digital signatures, with encryption
based on the password. Others add more unique services.

F-Secure’s FileCrypto for Pocket PC Enterprise Edition allows three tries
at its PIN-based authentication process. After this, a passphrase is requested.
Failure to enter a correct passphrase locks the device. Only a master
key, produced during installation, can be used to unlock the system. F-Secure
Key Manager provides centralized key creations and storage of backup keys.
This also provides recovery of encrypted data should the user forget the
passphrase. A Personal Edition is also available at www.f-secure.com.

One innovative product will delete all the PDA’s data if the Access Control
function is attacked. For more information, look at PDA Defense (www.pdadefense.com).
This tool can also cause your PDA to self-destruct if it’s not synched
within a certain time frame and can’t be bypassed by a soft reset. Such
programs can be set to wipe the system if a certain number of incorrect
attempts at entering the password is made. While this may seem a drastic
move, I’m not recommending it for every casual user. But what if the PDA
belongs to George Bush?

Protection from Malicious Code
Anti-virus protection should be extended to handhelds, along with the
use of handheld-specific anti-virus programs and sound, enterprise-wide
anti-virus action.

Handhelds haven’t been targets of massive malicious code attacks. Perhaps
it’s because the attack surface is smaller (there’s no macro language
for Pocket PC, for example, as the OS is much different), and perhaps
the target isn’t sexy enough. In a quick search, I found only two reported
cases of PDA-specific malicious code. No one thinks that will be the case
for long, and it’s widely believed that the current danger is that handhelds
may be targeted as unsuspecting vectors. The fear is that they’ll transfer
a Windows or Linux virus from some source to another. Perhaps they’ll
download it from a Web page and place it on the desktop when synching,
or it’ll be transferred when other communications are consumed. Two widely
known products can help.

F-Secure’s Anti-Virus for Pocket PC resides on the device for local protection.
Local storage can be scanned at startup, auxiliary storage upon insertion.
Updates are pushed to the device from the user’s PC or can be downloaded
via a wireless connection such as WLAN, Bluetooth or a GSM/GPRS phone.

On-board Data Protection
Critical data should be erased if access control mechanisms are under
attack or damaged. Sensitive data should be protected by encryption, and
non-sensitive data should be optionally protected by encryption.

Several encryption programs exist. They can be comprehensive and encrypt
all data or be set for specific databases on the device. They can be automatic
or under the control of the user. Different software works in various
ways, from decryption of specific data when accessed, to on-demand with
password entry for each decryption. Some software automatically begins
to encrypt decrypted data if the system is idle for a predetermined length
of time.

Note: I’ve used the terms critical, sensitive and non-sensitive to describe
different policies for different types of data. You should substitute
your meaningful data classification terms in the policy. I’ve deliberately
refrained from using the typical government terms for classifying data
to emphasize that all organizations—not just governments—should differentiate
sensitivity levels and write policies accordingly.

You should also ensure that data kept on external storage is protected
by encryption. Neither of the previously mentioned locking devices has
any means for preventing the removal of storage cards or other attached
external storage media. Encryption products include standalone products
and those that are part of a larger security suite:

Data Transfer/Connection Protection
There are several connection issues to consider: connections for synching,
wireless connections for data transfer, local area network connections,
and external or untrusted network connections. Of these, only the synching
concept is unique to PDAs. In addition, the need to protect data in flight
is shared with other devices.

Synching, Wireless Data Connections
Handhelds should be protected against unauthorized synching. “Beaming”
or other data transfer via wireless means must be secured or disabled.

Because synching and other forms of data transfer via wireless means
is now accepted practice, give thought to potential attacks. For example,
if an inbound data transfer requires the user to give permission, he or
she might not understand what that means. Users of handhelds, just like
users of PCs, may click “OK” to get rid of annoying or unrecognized pop-up
messages.

PDASecure Enterprise (www.trustdigital.com/prod16c.htm)
can stop unauthorized synching via password protection. This product also
has the ability to create unique policies for each user and push security
to their PDAs. Encryption, lock after power off and other features are
available. There’s a matching desktop product called ForeverSecure.

External Connections and Protecting Data in Flight
External connections to company networks—via Internet, dial-up and other
untrusted network—should only be allowed through an approved VPN or Secure
Sockets Layer (SSL). LAN connections require authentication and other
protection as determined by the application.

Software abounds to permit PDAs to connect using VPNs and enable SSL.
Still, not all organizations require such connectivity. What’s more, data
should be protected while in flight. Which applications require which
type of protection should be determined irrespective of client device.
Thus, if a connection’s approved for access from the Internet, the next
decision is whether the access and data transfers should be protected
via a VPN, SSL or some other means. This is then followed by a decision
on whether a PDA can meet the client-side requirements—not just in regard
to capability, but also in regard to suitability and securability.

In a typical installation, MIS sits on your network and serves as the
carrier interface. Your clients connect to the carrier that, in turn,
connects to MIS. Client access to your network is controlled by MIS. MIS
also offers unique client models for managing two secure deployment issues.

First, having a corporate account on the client can mean that a client
compromise would equate a network compromise.

Second, many handheld devices make it difficult to enforce strong passwords.
Entry of long, alphanumeric passwords isn’t easy and may not be possible.
If shorter, weaker passwords are allowed, changing the password policy
for the entire domain will weaken all access controls, not just wireless.

MIS mitigates this vulnerability by providing alternative-user account
scenarios. In each, unique accounts are used and, thus, access permissions
can be tightened to reduce a user’s access when working from these devices.
In one scenario, an auxiliary wireless account is created in the same
domain as the user; in another, a separate account is created in an auxiliary
domain. A third scenario creates a special Access user account in a separate
forest. A number of other security-related functions are available.

Usage Definitions and Data Decisions Handhelds used for business purposes should be owned and managed by
the business. Handhelds should be used for business purposes only.

It’s far more difficult to enforce security on privately owned devices.
Users tend to assume ownership grants them privileges as to the configuration
of the device, as well as the data it may or may not contain. In addition,
significant legal hurdles stand in your way if you suspect improper use
of company data.

On the other hand, company-owned devices can be required to follow strict
configuration and usage policies and can be reclaimed (along with the
company data) for breach of policy or at employee termination.

Users who are issued handhelds should be required to follow the appropriate
security policies and protect the device, its data and its connections
at all times. Failure to follow policy can result in recall of the handheld
and disciplinary action, including dismissal.

Each application must be reviewed to determine if the handheld is an appropriate
or secure place for data location.

It’s time to determine where data can best be protected. In many cases,
it may be best if data is centrally located and accessed by—not downloaded
to—the handheld. Best-practice examples are those where client connections
allow access to patient data or other personal data. The U.S. HIPAA (Health
Insurance Portability and Accountability Act) laws require stricter control
of patient data. In Europe, strict privacy laws may involve prosecution
of the individual responsible for allowing access to personal data.

Awareness TrainingAll employees should be required to attend or otherwise meet awareness-training
objectives that address both the security issues and company policies,
as well as provide up-to-date education and information on best practices
for handheld protection.

It’s not enough to just have a policy in place, nor administrative or
technical enforcement of that policy. Employee buy-in of the goals of
data protection and device loss prevention must be a major objective.